Gatekeeper
Back to Insights
Email Security and Phishing Prevention: Protecting Saudi Businesses from BEC Attacks

Email Security and Phishing Prevention: Protecting Saudi Businesses from BEC Attacks

Threat Intelligenceby Gatekeeper

Email: The Widest Gateway for Cyberattacks

Email remains the most widely used vehicle for cyberattacks globally, with over 90% of successful attacks beginning with a malicious email. In Saudi Arabia, phishing attacks are increasing significantly as digital business expands and reliance on electronic correspondence in commercial and government transactions grows.

Business Email Compromise (BEC) attacks pose a particular threat to Saudi companies, as attackers target high-value financial transactions and bank transfers by impersonating executives or suppliers. Global losses from BEC attacks are estimated at billions of dollars annually.

Types of Email Attacks

  1. Phishing: Mass emails impersonating trusted entities like banks or government agencies to steal user credentials. They typically use fake links that mimic legitimate websites.

  2. Spear Phishing: Targeted attacks directed at specific individuals or groups using personal information gathered from open sources to increase message credibility.

  3. Whaling: Targeted phishing specifically aimed at C-suite executives and board members, characterized by a high level of sophistication and personalization.

  4. Business Email Compromise (BEC): Impersonating an executive or supplier to direct financial transfers to attacker-controlled accounts. Typically does not involve malware but relies on social engineering.

  5. Malware-Laden Email: Messages containing malicious attachments such as macro-embedded Office files or weaponized PDFs to install ransomware or trojans.

BEC Attacks in the Saudi Context

BEC attacks increasingly target Saudi companies for several reasons:

  • Transaction Volume: Saudi companies handle high-value financial transfers, especially in oil and gas, construction, and international trade sectors, making them lucrative targets.

  • International Supplier Relationships: Frequent dealings with suppliers from various countries make it easier for attackers to impersonate a foreign supplier and alter bank account details.

  • Hierarchical Trust: Organizational culture that places high importance on executive directives may make employees less inclined to question requests that appear to come from the CEO.

  • Weak Dual Verification: Absence of dual verification procedures for large financial transactions in some companies, allowing transfers to be executed based on a single email.

Email Authentication Protocols: SPF, DKIM, and DMARC

Email authentication protocols form the first line of defense against domain impersonation. These three protocols work together as a complementary system:

Sender Policy Framework (SPF)

SPF (Sender Policy Framework) defines the servers authorized to send email on behalf of the organization's domain. It is published as a DNS TXT record containing a list of authorized IP addresses. When a mail server receives a message, it checks whether the sender's IP address is listed in the domain's SPF record.

DomainKeys Identified Mail (DKIM)

DKIM (DomainKeys Identified Mail) adds an encrypted digital signature to every outgoing message using a private key. The receiving server can verify the signature using the public key published in DNS records. DKIM ensures the message content has not been modified in transit and proves it genuinely originated from the claimed domain.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC unifies SPF and DKIM and defines the policy to follow when authentication fails. Policies range from monitoring only (p=none) to quarantine (p=quarantine) to full rejection (p=reject). DMARC also provides detailed reports on domain impersonation attempts.

The optimal setup begins with a DMARC policy in monitoring mode (p=none) to collect data and identify legitimate mail sources, then gradually progressing to a reject policy (p=reject) after confirming that SPF and DKIM are correctly configured for all legitimate mail sources.

Multi-Layered Defense Strategy

Authentication protocols alone are not sufficient to protect email. A comprehensive approach combining multiple defensive layers is required:

  • Secure Email Gateway: Advanced filtering of inbound and outbound messages including attachment analysis in isolated environments (sandboxing) and real-time link scanning.

  • Advanced Threat Protection (ATP): Systems using AI and machine learning to detect sophisticated phishing messages that bypass traditional filters.

  • Multi-Factor Authentication (MFA): Apply MFA to all email accounts to prevent unauthorized access even if credentials are stolen.

  • Continuous Awareness and Training: Conduct periodic simulated phishing campaigns to measure employee awareness levels and identify individuals who need additional training.

  • Financial Verification Procedures: Mandate dual verification through a separate communication channel (such as a phone call) for any change in bank account details or transfer requests exceeding a defined financial threshold.

Implementation Roadmap

  1. Initial Assessment: Review current email settings and identify gaps in authentication and protection. Inspect DNS records to verify the presence of SPF, DKIM, and DMARC.

  2. Protocol Configuration: Set up SPF and DKIM for all legitimate mail sources, then deploy DMARC with a p=none policy for monitoring.

  3. Gradual Enforcement: After a sufficient monitoring period and report analysis, progressively move to p=quarantine then p=reject.

  4. Deploy Advanced Solutions: Implement a Secure Email Gateway and ATP systems, integrating them with the existing SIEM infrastructure.

  5. Continuous Monitoring: Regularly review DMARC reports, track phishing indicators, and update policies based on emerging threats.

Conclusion: Email Protection Is a Shared Responsibility

Email remains the primary vector for cyberattacks, and protecting it requires an approach that combines technology, processes, and human awareness. SPF, DKIM, and DMARC protocols are not optional but essential requirements that every Saudi organization must implement.

With Saudi companies increasingly targeted by sophisticated BEC attacks, email protection must be a top priority in the cybersecurity strategy. Organizations that build multi-layered defenses and invest in employee awareness will be best positioned to repel these threats and protect their financial assets and reputation.

Share this post